CVE-2025-7362 in MsUpload Extension
Summary
by MITRE • 07/08/2025
The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice.
This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2025
The vulnerability identified as CVE-2025-7362 represents a critical stored cross-site scripting flaw within the MsUpload extension for MediaWiki, a widely used content management system for wikis. This security weakness specifically targets the system message handling mechanism known as msu-continue, which is designed to provide user feedback during the file upload process. The vulnerability manifests when users attempt to upload files with identical filenames, creating a scenario where malicious input can be persistently stored within the application's message system and subsequently executed in the context of other users' browsers. The flaw resides in the insufficient sanitization of user-provided data before it is inserted into the Document Object Model, creating an attack surface that can be exploited by malicious actors to inject malicious scripts.
The technical exploitation of this vulnerability occurs through the manipulation of the file upload interface within MediaWiki's MsUpload extension. When a user uploads a file with a filename that already exists in the system, the msu-continue system message is generated to inform the user of the duplicate upload attempt. However, this system message fails to undergo proper input validation and sanitization before being rendered in the browser DOM. The vulnerability affects multiple versions of MediaWiki, specifically targeting releases from 1.39.X prior to 1.39.13, 1.42.X prior to 1.42.7, and 1.43.X prior to 1.43.2, indicating that this flaw has persisted across several major release lines and represents a significant security gap in the extension's message handling system. This stored XSS vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers, potentially leading to session hijacking, privilege escalation, or data exfiltration.
The operational impact of CVE-2025-7362 extends beyond simple script execution, as it can be leveraged for more sophisticated attacks within wiki environments where users may have elevated privileges. When exploited, this vulnerability enables attackers to inject malicious scripts that can manipulate the wiki interface, steal user credentials, or redirect users to malicious websites. The stored nature of the vulnerability means that once a malicious message is injected, it will persist and affect all users who encounter the affected system message, making it particularly dangerous in collaborative environments where multiple users interact with the same wiki platform. This vulnerability directly maps to CWE-79, which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious file uploads, potentially enabling further compromise of the wiki infrastructure.
Organizations using MediaWiki with the MsUpload extension should prioritize immediate mitigation through patching to versions 1.39.13, 1.42.7, and 1.43.2, which contain the necessary sanitization fixes for the affected system message handling. Additional defensive measures include implementing strict input validation for all user-provided data within the upload process, enabling Content Security Policy headers to limit script execution, and monitoring system messages for anomalous patterns that might indicate exploitation attempts. Network-based detection systems should be configured to monitor for suspicious file upload patterns and potential XSS payloads in system messages. The vulnerability demonstrates the critical importance of proper input sanitization in web applications and highlights the need for comprehensive security testing of user-facing interfaces, particularly those handling file uploads and system notifications. This issue serves as a reminder of how seemingly benign functionality can become a significant security risk when proper sanitization controls are absent from the application's data processing pipeline.